[gin-auth] FW: DN imcompatibility issue

Cindy Zheng zhengc at sdsc.edu
Mon Apr 24 18:59:31 CDT 2006 

-----Original Message-----
From: Charles Bacon [mailto:bacon at mcs.anl.gov] 
Sent: Monday, April 24, 2006 3:05 PM
To: zhengc at sdsc.edu
Cc: allcock at mcs.anl.gov; childers at mcs.anl.gov
Subject: Re: DN imcompatibility issue


On Apr 24, 2006, at 4:30 PM, Cindy Zheng wrote:

> Dear Bill,
>
> During our chat at PRAGMA10, I mensioned about DN
> imcompatibility issue we encountered in our Grid
> interoperation effort. Here is a detailed description
> http://goc.pragma-grid.net/gin/Cert-probs-GIN.pdf
> Would appreciate any comments and suggestions.
> I'm cc'ing to Lisa and Charles for comments as well.

This came up when we upgraded our version of OpenSSL back in mid-2004  
in the 3.2 release of the Globus Toolkit.  Here's the bug that was  
opened about the issue: http://bugzilla.globus.org/bugzilla/ 
show_bug.cgi?id=575.  The reporter, Keith Thompsen, also sent an  
email at the same time: http://www-unix.globus.org/mail_archive/ 
security/2004/10/msg00000.html

The issue arises when an OID (like 0.9.2342.19200300.100.1.1) doesn't  
have a canonical mapping to a human-readable string like "UID".  The  
RFC quoted in the paper mentions that UID is preferred to USERID, but  
that doesn't address the other problematic RDNs like serialNumber and  
emailAddress.

There are two approaches the community at large has taken.  One is to  
standardize on a particular version of the openssl libraries - for  
instance, we have used 0.97c for a while.  This is mentioned in the  
conclusion when the author mentions upgrading the ASN.1 encoding used  
by the VOMS Admin.  The other approach is to allow flexibility in the  
interpretation of the RDN, which is referred to in the paper as "The  
hack".  Adding both USERID and UID versions of the DN to the grid- 
mapfile (or equivalent) and CA signing policy files allow the OID  
blob to be rendered to text either way.  I believe this is the  
approach taken by TeraGrid and the gx-map tool.  Here's an example  
pair of entries in their grid-mapfile:
"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/UID=tg456958" cgilpin
"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/USERID=tg456958" cgilpin

And in the signing policy for that CA:
# TACC CA signing Policy

access_id_CA      X509         '/C=US/O=UTAustin/OU=TACC/CN=TACC  
Certification
Authority/USERID=caman'
pos_rights        globus        CA:sign
cond_subjects     globus       '"/C=US/O=UTAustin/OU=TACC/*"'

access_id_CA      X509         '/C=US/O=UTAustin/OU=TACC/CN=TACC  
Certification
Authority/UID=caman'
pos_rights        globus        CA:sign
cond_subjects     globus       '"/C=US/O=UTAustin/OU=TACC/*"'


I hope this helps,

Charles

More information about the gin-auth mailing list